If you’re planning to take the SY0-501 exam, you should have a basic understanding of many of the well-known attacks. This includes advanced types of attacks launched against systems and networks.
For example, can you answer this practice test question?
Q. You are troubleshooting an intermittent connectivity issue with a webserver. After examining the logs, you identify repeated connection attempts from various IP addresses. You realize these connection attempts are overloading the server, preventing it from responding to other connections. Which of the following is MOST likely occurring?
A. DDoS attack
B. DoS attack
C. Amplification attack
D. Salting attack
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation are available at the end of this post.
DoS Versus DDoS
A denial-of-service (DoS) attack is an attack from one attacker against one target. A distributed denial-of-service (DDoS) attack is an attack from two or more computers against a single target. DDoS attacks often include sustained, abnormally high network traffic on the network interface card of the attacked computer. Other system resource usage (such as the processor and memory usage) will also be abnormally high. The goal of both is to perform a service attack and prevent legitimate users from accessing services on the target computer.
Privilege Escalation
Attackers often use privilege escalation tactics . For example, attackers often use remote access Trojans (RATs) to gain access to a single system. They typically have limited privileges (a combination of rights and permissions) when they first exploit a system. However, they use various privilege escalation techniques to gain more and more privileges.
Most of the attacks use privilege escalation techniques for the same reason—to gain more and more access to a system or a network.
Spoofing
Spoofing occurs when one person or entity impersonates or masquerades as someone or something else. Two common spoofing attacks mentioned specifically in the CompTIA objectives are media access control (MAC) address spoofing and Internet Protocol (IP) address spoofing.
Host systems on a network have a media access control (MAC) address assigned to the network interface card (NIC). These are hard-coded into the NIC. However, it’s possible to use software methods to associate a different MAC address to the NIC in a MAC spoofing attack. For example, a MAC flood attack where an attacker overwhelms a switch with spoofed MAC addresses. Flood guards prevent these types of attacks. Wireless attackers can bypass MAC address filtering by spoofing the MAC address of authorized systems.
In an IP spoofing attack, the attacker changes the source address so that it looks like the IP packet originated from a different source. This can allow an attacker to launch an attack from a single system, while it appears that the attack is coming from different IP addresses.
SYN Flood Attacks
The SYN flood attack is a common attack used against servers on the Internet. They are easy for attackers to launch, difficult to stop, and can cause significant problems. The SYN flood attack disrupts the TCP handshake process and can prevent legitimate clients from connecting. Two systems normally start a TCP session by exchanging three packets in a TCP handshake. For example, when a client establishes a session with a server, it takes the following steps:
1. The client sends a SYN (synchronize) packet to the server.
2. The server responds with a SYN/ACK (synchronize/acknowledge) packet.
3. The client completes the handshake by sending an ACK (acknowledge) packet. After establishing the session, the two systems exchange data.
However, in a SYN flood attack, the attacker never completes the handshake by sending the ACK packet. Additionally, the attacker sends a barrage of SYN packets, leaving the server with multiple half-open connections. The figure compares a normal TCP handshake with the start of a SYN flood attack.
TCP handshake and SYN flood attack
In some cases, these half-open connections can consume a server’s resources while it is waiting for the third packet, and it can actually crash. More often, though, the server limits the number of these half-open connections. Once the limit is reached, the server won’t accept any new connections, blocking connections from legitimate users. For example, Linux systems support an iptables command that can set a threshold for SYN packets, blocking them after the threshold is set. Although this prevents the SYN flood attack from crashing the system, it also denies service to legitimate clients.
Attackers can launch SYN flood attacks from a single system in a DoS attack. They will often spoof the source IP address when doing so. Attackers can also coordinate an attack from multiple systems using a DDoS attack.
Man-in-the-Middle Attacks
A man-in-the-middle(MITM) attack is a form of active interception or active eavesdropping. It uses a separate computer that accepts traffic from each party in a conversation and forwards the traffic between the two. The two computers are unaware of the MITM computer, and it can interrupt the traffic at will or insert malicious code.
For example, imagine that Maggie and Bart are exchanging information with their two computers over a network. If Hacker Harry can launch an MITM attack from a third computer, he will be able to intercept all traffic. Maggie and Bart still receive all the information, so they are unaware of the attack. However, Hacker Harry also receives all the information. Because the MITM computer can control the entire conversation, it is easy to insert malicious code and send it to the computers. Address Resolution Protocol (ARP) poisoning is one way that an attacker can launch an MITM attack.
Kerberos helps prevent man-in-the-middle attacks with mutual authentication. It doesn’t allow a malicious system to insert itself in the middle of the conversation without the knowledge of the other two systems.quest
The 601 Version of the Study Guide
The CompTIA Security+: Get Certified Get Ahead: SY0-601 Study GuideEach of the eleven chapters presents topics in an easy to understand manner and includes real-world examples of security principles in action.
You’ll understand the important and relevant security topics for the Security+ exam, without being overloaded with unnecessary details. Additionally, each chapter includes a comprehensive review section to help you focus on what’s important.
Over 300 realistic practice test questions with in-depth explanations will help you test your comprehension and readiness for the exam. The book includes:
- A 75 question pre-test
- A 75 question post-test
- Practice test questions at the end of every chapter.
Each practice test question includes a detailed explanation to help you understand the content and the reasoning behind the question. You’ll be ready to take and pass the exam the first time you take it.
If you plan to pursue any of the advanced security certifications, this guide will also help you lay a solid foundation of security knowledge. Learn this material, and you’ll be a step ahead for other exams. This SY0-601 study guide is for any IT or security professional interested in advancing in their field, and a must-read for anyone striving to master the basics of IT security.
Q. You are troubleshooting an intermittent connectivity issue with a webserver. After examining the logs, you identify repeated connection attempts from various IP addresses. You realize these connection attempts are overloading the server, preventing it from responding to other connections. Which of the following is MOST likely occurring?
A. DDoS attack
B. DoS attack
C. Amplification attack
D. Salting attack
Answerr is A. A distributed denial-of-service (DDoS) attack includes attacks from multiple systems with the goal of depleting the target’s resources and this scenario indicates multiple connection attempts from different IP addresses.
A DoS attack comes from a single system, and a SYN flood is an example of a DoS attack.
While the DDoS attack may be an amplification attack (an attack that significantly increases the amount of traffic sent to the victim), the scenario doesn’t give enough details to identify this as an amplification attack.
Salting is a method used to prevent brute force attacks to discover passwords.
See Chapter 7 of the CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide for more information on common and advanced types of attacks.
